Clandestine SIGINT Operations - Vigilant Dawn After Action Report
Updated: Jan 8
**FULL DISCLOSURE AND IMPORTANT NOTES**
This was the first time individuals associated with Blackline attempted to conduct surveillance of a third party event. It was conducted WITHOUT their knowledge. While the initial risk assessments showed negligible impact on the event, circumstances did not turn out that way. As such, Blackline has modified it's SOP when conducting these activities and now requests/informs event hosts at all times. This was an important lesson learned and one we would encourage you incorporate if attempting this activity yourself.
Blackline conducted an independent surveillance operation of Force Recon’s Nightfall milsim event in order to test out new technologies. A series of incidents led to a complete mission scrub and compromised personnel. After discussing the events with the task force, it was felt sharing the details behind the operation would help alleviate any concerns individuals may have about Blackline’s involvement.
Participants at Blackline events have shown a growing interest in signals intelligence (SIGINT), open source intelligence (OSINT), and intelligence, surveillance, reconnaissance (ISR). To increase participants exposure to these skill sets at Blackline events, Blackline commissioned a small company to research and develop an array of devices to intercept and process signals intelligence. These included a device that can record all of the FRS/GMRS spectrum simultaneously, and remote audio sensing devices. Small scale tests were successful, but tests were needed on higher traffic volumes.
Nightfall is an event run by an Ontario, Canada group called Force Recon. The Force Recon Milsim Challenge (FRMSC) draws approximately 300 players from Canada and the US. Hosted at the Picton Recreation Zone (PRZ - an old military hospital complex), this annual event provided an excellent chance to see how well devices managed the vast amount of radio and audio traffic. It was also a suitable test to see whether personnel could piece together an operational picture based on the remote sensing data.
Task Force Vigilant Dawn and it's Intent Work began approximately 5 months in advance. The task force was presented with a set of problems to solve: 1) How to tap into the command and control communications network? 2) How to monitor locations of key assets? 3) How to monitor the fighting strength of the two opposing teams in the field?
A small group met with the technical personnel to understand what technology could be developed to answer these questions. They also had to create courses of action (missions) for it’s deployment and contingencies in event of it’s failure. While developing the course of action, there were frank discussions about what would be ethical and what would be inappropriate to do. The following key principles were decided on.
At no point would any Task Force personnel cross into the PRZ playing field; the boundaries of which were verified by the Prince Edward County GIS system. None of the task force personnel had paid for the event so attending would be unethical and akin to stealing. At no point would ANY of the information be shared with either team. Information shared, even casually with event leadership or players could suggest Blackline was influencing this event. For that reason, all information about the Task Force and its activities were withheld from all attending players and leaders. Task Force Personnel would be forbidden from carrying weapons anywhere near the property lines of the site. The risk for misunderstanding or accident was too high and unacceptable.
With these restrictions in mind, several plans were developed. First was to set up an operations center within ~1km of the event as a hub for the technical services. Second, installation of a high powered, directional, wireless network (affectionately dubbed the ‘Cancer Ray’) would be installed in areas surrounding PRZ. Third, small reconnaissance teams would be placed outside of the PRZ property using batches of UV-5R radios to act as a backup for the devices. Finally, a layout of the property, command locations, and other key population areas would have to be developed in order to determine the ideal locations for devices. All of this was supported by a team of personnel that spent weeks building profiles and dossiers on key players and teams attending Nightfall.
It is noteworthy at this point to call out that Blackline did not contact Force Recon in advance of this event. Based on the three key principles decided on during those first meetings, we expected there would be zero impact to the organizers or the participants. This was one of the failure points that led to the mission being scrubbed.
Deployment and Missions
Establishing the Operations Centre Blackline leased the Picton Airfield and surrounding lands which wrap around the target site on three sides. On the evening of Thursday June 7th, elements arrived and proceeded to set up the site. This included blacking out the windows to prevent light leaks, standing up the communication network, and live location tracking of all task force members. As units arrived, their equipment was stowed and vehicles moved offsite in order to reduce the signature. Security teams were deployed to observe routes in and out of the airfield. Other teams were tasked with maintaining a count of vehicles entering the PRZ properly to begin building troop strength data.
During these initial tasks at the operations centre, several failures occurred contributed to the compromise of the mission. First, standards were relaxed for newer participants and as the night went on, for everyone. The development of ‘kit bombs’ - disorganized and distributed personal equipment became more and more apparent. These are a natural result of people going through their bags, but must be managed. Another standard that was relaxed was that of moving vehicles off site. The inconvenience leads to complacency. In the end, one vehicle was left outside the operations centre. Seemingly insignificant on its own, when combined with other small signs creates a larger signature of activity.
Observation Missions As the Task Force tallied more and more vehicles staying on site, they required an understanding of where personnel and command tents were located. This information was critical for proper setup of the surveillance infrastructure. Use of drones by the Task Force was prohibited due to proximity to the airport. To solve this, personnel dressed in civilian clothing were deployed into a public trail network north of the site. They moved south until they encountered the PRZ property and began gathering imagery. Similar portfolios were created by teams dressed in camouflage clothing using 800mm lenses operating just west of the site. The long focal length of the lenses allowed for a suitable setback distance from the property line while still producing quality images. The observation tasks were successful. However, personnel left sign they’d been in place. Consistent use of specific ingress or egress routes, and failure to property return an observation site to its original state create a larger picture of activity.
Installation and Support Missions Once suspected command and control areas had been identified by observation taskings, missions to deploy the surveillance equipment were stood up. The two initial installation missions took place at 1100h Friday night and 0100h Saturday morning. Using the cover of darkness, a pair of teams were deployed into the airfield lands surrounding PRZ. Team 15 was inserted by vehicle on Clarke Road south east of the site and infiltrated westward on foot. Team 16 inserted and infiltrated by foot into the woods west of PRZ.
The mission for Teams 15 and 16 was to search suitable installation sites for the network infrastructure. Sites needed to be near suspected command and control areas, but also in areas that would provide a high degree of coverage across the whole property. Team 15 had the additional task of assessing whether a strip of PRZ property that extended into the airfield property had been occupied by one of the Nightfall teams.
A support team was also inserted by foot and infiltrated into the airfield lands south of PRZ around 0200h. Team 14 was tasked with providing the redundant support for the radio and audio intercept equipment. The team would establish a hide and remain there while manning the radios.
Due to technical issues, the initial installation of monitoring equipment could not be completed before first light at 0413h. It is at this point, the first decision to scrub the mission should have taken place. Without the cover of darkness, risks around installation became much higher. Waiting until the following night was less risky in regards to discovery. However, with 300+ armed individuals roaming the PRZ property, there was an increased chance that a rogue unit would stray from the playing area and possibly encounter task force personnel in the dark.
Instead of scrubbing, 15 and 16 were recalled and a new ad hoc plan was created to reduce the scope of surveillance, conduct tests to resolve the technical issues, and install the equipment in the morning. It is important to note that the initial mission had been carefully designed and constructed. By modifying the plans and leaving out key components, we were unknowingly removing key security considerations.
The second installation mission kicked off around 0600h. Team 15 moved to the site west of the airfield using the same routes they had used previously. When on site, they began testing of equipment while security personnel were sent out to act as early warning listening posts. The teams had just finished their testing and preparation of equipment when the mission was compromised. At some point between 1100h and 1200h on Saturday, an individual looking to relieve himself approached the property line and discovered one of the security listening posts. With standing orders to not interfere with the Nightfall event, the listening post fell back and alerted the install team. The group aborted all activities and returned to the operations centre and the task force declared the mission scrubbed. Personnel spent some time trying to organize their equipment and reverse the ‘kit bomb’. They were then shuttled to their vehicles.
Team 14 was ordered to abort their monitoring mission and turn to base, but because of their distance, it would be some time before they were able to arrive.
During this gap, the individual who had spotted the task force listening post reported the incident to leadership or event control. Force Recon event control moved into the woods and followed the signs (such as crushed grass and reused infil/exfil routes) back to the operations centre. There, they discovered signs of activity including the lone vehicle left outside. Without personnel at the TOC, only the remote security team could see Force Recon but was not in a position to leave their hide site and approach.
When Team 14 finally arrived at the operations centre, they began to pack out their equipment. At this point, a vehicle with Force Recon personnel arrived. At roughly the same time, Task Force command arrived from an equipment shuttling run and made contact with Force Recon leadership to discuss the incident.
This event is an excellent example of how small errors can cascade into larger, more complex challenges that eventually become uncontrollable. They can be evaluated from two perspectives: from within the event, and within the real world.
The in event perspective is a case study for diligence and adherence to standards. Personnel must be made to adhere to the minimum requirements no matter how tedious or mundane. Disorganized equipment resulted in delayed exfils. Vehicles left behind were signs of activity no matter how insignificant. Repeated use of routes creates a trail to follow. There are real reasons for standards, and this compromise illustrates them perfectly. If Force Recon had been an opposing force in an event, far too much evidence was left linking the operations centre to the activities near PRZ. Optimistic views of how someone would act after discovering personnel, or how far someone may go to investigate have no place in the Blackline risk assessment and mitigation process. The absolute worst case must be assumed, the risks must be clearly identified, and the unit would collectively mitigate or accept accordingly. In execution of the mission, those mitigations must be maintained. When they disappear, risks become too high and the mission must be scrubbed, no matter what.
The real world mistakes come from small errors in assumption. The first being that the intent to be zero-impact on Nightfall did not mean we were zero-impact. All of the carefully considered limitations placed on the unit to prevent interference did not prevent contact with Nightfall participants. The second error in assumption was assuming that since the Task Force would have no impact on the event, it eliminated the need to discuss the missions with Force Recon. Investigating the incident undoubtedly took up precious time and resources prior to kicking off their event. Without any knowledge of the taskings, it was also reasonable for them to imagine the worst possible case scenario and approach the investigation from that perspective. While Jason and the Force Recon personnel were reassured by the explanations, it certainly sours their perception of what Blackline is and what it does.
There are larger impacts here as well to the Nightfall team leads who, at best, would be thinking they were being plotted against by the opposing team, or at worst, be thinking unknown thieves are waiting in the woods to steal equipment. The average players would also be concerned about the influence of Blackline on the outcome of an event they expect to control. To all of those people, including Jason, Force Recon, Mitch, Connor, and their teams, we apologize. Hopefully the description of our taskings, intent, and considerations alleviates some of your concerns.